For many companies, especially for many small to midsize businesses (SMBs), the actual location of their data may be a mystery. Let’s say, for example, that you’re running on a cloud-based server cluster located in the Northern Virginia region belonging to Amazon Web Services (AWS). That means your data is in Northern Virginia, right? Well, yes, probably. But let’s say that you’re doing business with companies or individuals in Europe. Then the data about those entities is probably also in that region. And in a very short time, that may be a problem.
On Friday, May 25, the General Data Protection Regulation (GDPR) of the European Union (EU) goes into effect. At that point, your company falls under the regulations imposed by the EU covering new requirements for the protection of citizens’ personal data. Even if you’re not located in Europe, your company is still subject to those regulations if you’re holding any personal data about EU residents. Problem is, even if you think pulling that data back to your US corporate location will keep it better protected, you may not be allowed to store that data in the United States.
More importantly, the GDPR aside, there are other regulations about cross-border data flows that you also need to consider. This is because having the data of an EU citizen (or someone living in the EU who isn’t a citizen) pass through another country on the way may be problematic. This means that you need to know more than just where it is when you’re storing it: you need to know where it goes on its way between you and wherever your customer or employee happens to be.
I’m not going to go into the draconian penalties that may await you if you violate the rules of the GDPR because they have been outlined in this column and in plenty of other places in the past. So, let’s just say, you don’t want these penalties to ever be applied to you.
7 Paths to GDPR Compliance
But as long as you take some preventative steps, you shouldn’t have to worry about any penalties. There are some fairly easy things you can do to avoid problems. Here are seven of them, in order of easiest to hardest to do.
Don’t collect personal information from people in the EU. If your website has the ability for someone to fill out personal information (their name and address, for example) in the process of registering on your website, then either don’t accept registrations from the EU or don’t accept them at all.
If you must accept personal information from people in the EU (perhaps because you have an e-commerce website that sells stuff there), then have the data stored on a cloud server located inside EU borders. Often this is simply a matter of configuring an Infrastructure-as-a-Service (IaaS) server cluster using your current cloud provider’s European website. Alternatively, funding a short engagement with most cloud providers’ professional services arms will see them take care of this task for you. Not only that, but if you’re lucky enough to engage with their Europe-based consultants, then you’ll probably get certified testing and the proper documentation, too.
While there are times you can move data to the US or one of a few other countries in Europe, there are limits. In the US, they are based on the Privacy Shield, which is an agreement between the US, the EU, and Switzerland that specifies protection requirements for data flowing between the US and those countries. It’s probably a good idea for your organization to certify that it meets the GDPR’s data protection requirements, but EU law is such that the collection and retention of data is limited to only what’s required to perform the immediate task. That means having someone knowledgeable of GDPR details track your various data flows. While tedious, this is the only way to be sure you’re in compliance.
If you must process data, whether it’s in the EU or in the US, then you must meet specific requirements, including having someone named as a Data Protection Officer (DPO). You’ll also have to arrange a workflow dedicated to removing data when it’s no longer needed, and this can get especially complex because part of this is making sure you can remove the personal information of anyone who asks to be forgotten. Frankly, that’s another reason to think twice about storing information about people from the EU.
If you really have to do business in the EU, then you probably should think about having a presence there rather than just a cloud account with a server or business-grade file sharing service in Europe. You may want to engage a company to handle your affairs in Europe or you may want to open an office, since staffing GDPR experts and consultants will be easier on that side of the pond not to mention that simply doing European business in a post-GDPR world will be inherently easier in Europe than anywhere else.
If you open an office, then your employees in Europe also need to have their information handled according to GDPR rules. While you can have employee records held in the US, you’ll need to follow the rules, including not holding any information that isn’t strictly necessary for an employee to do his or her job. You’ll also need to get permission from the employee to store personal information (perhaps so he or she can get paid), but your DPO will need to evaluate all data stored to be sure it’s something that’s required. For example, you can’t ask for their photograph unless there’s a reason, and then you have to give a very specific justification as to how it will be used. And the employee must be allowed to decline with no repercussions.
Now for the complicated part: The IT department must be able to determine where the protected data is located at all times, where it goes while you’re using it, where it’s stored, and how it’s protected. Just to say it’s on your cloud server in Ireland isn’t enough; your folks will have to know how it gets to that server, what happens to it when it’s used, and how it’s protected—in detail. Your best bet is to hire experts to do this for you, at least the initial mappings and selection of management tools that will maintain that information. A DPO and support staff will eventually be required, but in the short term, most businesses would do well to at least engage a consultant who has verifiable expertise.
For the Procrastinators
Of course, not to put too fine a point on it, but you should have done all of this already. Still, the realities of day-to-day business being what they are, chances are that many of you reading this haven’t. So now that the date is basically upon you, start by at least knowing where your data is. And if it’s not where it’s supposed to be, then see point number 1 above until you have figured it out.
While you’re doing this, it’s a good idea to post a consent form before anyone can access the part of your website that asks for personal information. Sagara Gunathunge, Vice President of the Apache Web Services project and Director at WSO2(Opens in a new window), offers some freely available examples of consent forms(Opens in a new window) for a variety of purposes. But remember that you have to keep track of who fills out those forms so you can show a direct link to the information you’ve collected and whether it’s stored in the EU or elsewhere. Be sure to make it clearly worded, precise, and say exactly what is happening to the information you’re collecting. Yes, it’s a pain in the neck. But the other choice is option 1.
Get Our Best Stories!
Sign up for What’s New Now to get our top stories delivered to your inbox every morning.
Source By https://www.pcmag.com/news/gdpr-is-1-day-away-do-you-know-where-your-data-is